Privacy Policy

The data controller is Mundus, an independent project operated from Brazil. There is no separate legal entity at this time. Privacy requests are handled through [email protected].

The following categories of personal data are processed.

From Google during sign-in

• Email address.
• Email verification status.
• Profile name, used to seed an initial display name.

Provided by the user

• Username, chosen during onboarding and immutable thereafter.
• Display name, editable at any time.
• Optional uploaded avatar image.

Generated by the system

• Avatar seed used to render deterministic identicons.
• Coin balance, Legacy total, and the count of countries currently ruled.
• The full history of takeovers, coin transactions, and other events involving the account.

Operational

• IP address and user-agent on authentication events, used for security and abuse detection.
• Minimal request metadata used to enforce rate limits and detect automated activity.

Payments

• Card details are handled directly by Stripe. Mundus does not receive or store card numbers, expiry dates, or security codes.
• Mundus stores the Stripe customer identifier, the charge or payment intent identifier, the amount paid in fiat, and the webhook event identifier required to credit coins exactly once.

The legal bases for processing are the following:

• Performance of a contract. Operating the platform, executing takeovers, crediting coins, and maintaining the public record.
• Legitimate interest. Detecting and preventing fraud, abuse, automated activity, and security incidents. Protecting the integrity of the public record.
• Legal obligation. Retaining transaction records for tax and accounting purposes for the periods required by applicable law.
• Consent. For any optional processing that requires it, including analytics or marketing if and when those become active on the platform.

Personal data is shared only with the processors required to operate the service. Mundus does not sell personal data.

• Google.Identity provider for sign-in. Subject to Google's own terms and privacy policy.
• Stripe.Payment processing for coin purchases. Subject to Stripe's own terms and privacy policy.
• Sentry.Error tracking, when enabled by the operator. Receives stack traces and operational context that may include the affected user's identifier so that an incident can be reproduced.
• S3-compatible storage. Storage of avatar images uploaded by the user, when this option is used instead of a generated identicon.

Account data is retained while the account is active. Authentication and security logs are kept for a short operational window and then discarded.

Records of takeovers, coin transactions, and payments are retained permanently. These records are part of the product itself: they form the public record of every country and every ruler, and they are required for the integrity of the accounting trail. They cannot be deleted on request.

Where applicable law grants the user rights of access, rectification, portability, objection, or restriction of processing, those rights are exercised by writing to [email protected] from the email address associated with the account.

The right to erasure is fulfilled by anonymizing the account in place. The account row remains, but the display name is replaced with a generic placeholder and the avatar is reset to default. The historical events that reference the account preserve the display name and the avatar as they appeared at the time of each event, since they belong to the public record of the countries involved and of the other rulers. This limitation is necessary to preserve the integrity of records that other users rely on. Direct identifiers in the active account are removed; historical snapshots associated with prior public actions are retained.

Where this approach does not satisfy a legally protected right of erasure in a specific case, please contact us and the situation will be reviewed.

A strictly necessary session cookie is set by the authentication layer to keep the user signed in. A small number of local preferences may be stored in the browser without leaving the device. Mundus does not use third-party advertising or tracking cookies. Privacy-respecting analytics may be introduced in the future; if introduced, this policy will be updated and, where required, consent will be requested before any non-essential tracking begins.

Traffic to Mundus is encrypted in transit using TLS. Authentication is delegated to Google, so Mundus does not hold passwords. Historical events are written once and never updated, which limits the surface for tampering. When the operator has enabled Sentry, error context is monitored to detect incidents proactively. No system is immune from compromise; users are asked to report suspected incidents through [email protected].

Google, Stripe, Sentry, and the S3-compatible storage provider may operate outside the user's country of residence. Where personal data is transferred internationally, the transfer relies on the safeguards offered by the relevant provider, including standard contractual clauses where applicable.

Mundus is not directed at children. The minimum age to use the service is 18 years old. Where the user resides in Brazil, the operator complies with the obligations of Law 15.211/2025 (the Digital Statute of the Child and Adolescent) applicable to platforms that offer paid digital services. Parents or legal guardians who become aware that a minor has created an account are asked to contact [email protected] so that the account can be anonymized and any associated payment reviewed under the applicable law.

This policy may be updated. The effective date and the last updated date are shown at the top of this page. Material changes are communicated through a notice on the platform before they take effect.

Controller: Mundus, operated from Brazil. Privacy contact: [email protected].